Sign up for our weekly security newsletter

Linux Apache Servers Increasingly becoming Targets of Attack

According to security experts, there is a growing intensification of attacks waged against Linux Apache Servers. Over 10,000 websites running on Apache software featured with Linux might be compromised to try and take over visitors' computers.

Massive attacks being launched since December 2007 against Linux-based Apache servers have increasingly been successful as its break-in mechanism uses default password and an automated installation process.

From the research by Senior Security Researcher, Don Jackson, at SecureWorks, it is evident that the mass attack, initially perceived to have hijacked hundreds of websites, has compromised 10,000, to count the least. PCWorld published this in news on January 22, 2008.

An estimate of the total number of attacked websites obtained relied on the number of warnings that SecureWorks analysts observed to arise as a result of the countermeasures the company set up to prevent malware infection on its clients.

According to Jackson, he knows there exists a proof-of-concept code for an attack of a similar kind based on stolen password and automated malware installation relating to Microsoft's Internet Information Server. However, Jackson hasn't found it to be broadly used in the manner the attack on the automated Linux-based Apache server is spreading.

According to SecureWorks about the attack, it utilizes the much known Sdbot and Rbot malware that aims at nine or more security flaws associated with AOL SuperBuddy, QuickTime exploits, and Yahoo Messenger in an effort to control Windows-based computers.

Jan Ramsey, Chief Technology Officer at SecureWorks, said that the perpetrators who injected their malicious code into the Apache servers have done it very cleverly. SCMagazineUS published this in news on January 24, 2008.

Ramsey said that the process of code injection changes the way Apache server behaves to install malware content.

In a prepared statement, SecureWorks said that the attacks have no resemblance with a typical attack from the Chinese or Russian groups; however, there are some indications of North America or Western Europe as the origins. SCMagazineUS published the statement on January 24, 2008.

SecureWorks further said that people visiting the infected sites could avoid contamination by using up-to-date antivirus signatures and patches for all affected software.